Because mm/slab_common.c is not instrumented with software KASAN modes,
it is not possible to detect use-after-free of the kmem_cache passed
into kmem_cache_destroy(). In particular, because of the s->refcount--
and subsequent early return if non-zero, KASAN would never be able to
see the double-free via kmem_cache_free(kmem_cache, s). To be able to
detect a double-kmem_cache_destroy(), check accessibility of the
kmem_cache, and in case of failure return early.
While KASAN_HW_TAGS is able to detect such bugs, by checking
accessibility and returning early we fail more gracefully and also
avoid corrupting reused objects (where tags mismatch).
A recent case of a double-kmem_cache_destroy() was detected by KFENCE:
https://lkml.kernel.org/r/[email protected]
, which was not detectable by software KASAN modes.
Signed-off-by: Marco Elver <[email protected]>
---
mm/slab_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/slab_common.c b/mm/slab_common.c
index e5d080a93009..4bef4b6a2c76 100644
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -491,7 +491,7 @@ void kmem_cache_destroy(struct kmem_cache *s)
{
int err;
- if (unlikely(!s))
+ if (unlikely(!s || !kasan_check_byte(s)))
return;
cpus_read_lock();
--
2.34.0.rc2.393.gf8c9666880-goog
Add a test case for double-kmem_cache_destroy() detection.
Signed-off-by: Marco Elver <[email protected]>
---
lib/test_kasan.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/lib/test_kasan.c b/lib/test_kasan.c
index 40f7274297c1..4da4b214ed06 100644
--- a/lib/test_kasan.c
+++ b/lib/test_kasan.c
@@ -866,6 +866,16 @@ static void kmem_cache_invalid_free(struct kunit *test)
kmem_cache_destroy(cache);
}
+static void kmem_cache_double_destroy(struct kunit *test)
+{
+ struct kmem_cache *cache;
+
+ cache = kmem_cache_create("test_cache", 200, 0, 0, NULL);
+ KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
+ kmem_cache_destroy(cache);
+ KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_destroy(cache));
+}
+
static void kasan_memchr(struct kunit *test)
{
char *ptr;
@@ -1183,6 +1193,7 @@ static struct kunit_case kasan_kunit_test_cases[] = {
KUNIT_CASE(ksize_uaf),
KUNIT_CASE(kmem_cache_double_free),
KUNIT_CASE(kmem_cache_invalid_free),
+ KUNIT_CASE(kmem_cache_double_destroy),
KUNIT_CASE(kasan_memchr),
KUNIT_CASE(kasan_memcmp),
KUNIT_CASE(kasan_strings),
--
2.34.0.rc2.393.gf8c9666880-goog
On 11/19/21 15:22, Marco Elver wrote:
> Because mm/slab_common.c is not instrumented with software KASAN modes,
> it is not possible to detect use-after-free of the kmem_cache passed
> into kmem_cache_destroy(). In particular, because of the s->refcount--
> and subsequent early return if non-zero, KASAN would never be able to
> see the double-free via kmem_cache_free(kmem_cache, s). To be able to
> detect a double-kmem_cache_destroy(), check accessibility of the
> kmem_cache, and in case of failure return early.
>
> While KASAN_HW_TAGS is able to detect such bugs, by checking
> accessibility and returning early we fail more gracefully and also
> avoid corrupting reused objects (where tags mismatch).
>
> A recent case of a double-kmem_cache_destroy() was detected by KFENCE:
> https://lkml.kernel.org/r/[email protected]
> , which was not detectable by software KASAN modes.
>
> Signed-off-by: Marco Elver <[email protected]>
Acked-by: Vlastimil Babka <[email protected]>
> ---
> mm/slab_common.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/slab_common.c b/mm/slab_common.c
> index e5d080a93009..4bef4b6a2c76 100644
> --- a/mm/slab_common.c
> +++ b/mm/slab_common.c
> @@ -491,7 +491,7 @@ void kmem_cache_destroy(struct kmem_cache *s)
> {
> int err;
>
> - if (unlikely(!s))
> + if (unlikely(!s || !kasan_check_byte(s)))
> return;
>
> cpus_read_lock();
>
On Fri, Nov 19, 2021 at 3:22 PM Marco Elver <[email protected]> wrote:
>
> Because mm/slab_common.c is not instrumented with software KASAN modes,
> it is not possible to detect use-after-free of the kmem_cache passed
> into kmem_cache_destroy(). In particular, because of the s->refcount--
> and subsequent early return if non-zero, KASAN would never be able to
> see the double-free via kmem_cache_free(kmem_cache, s). To be able to
> detect a double-kmem_cache_destroy(), check accessibility of the
> kmem_cache, and in case of failure return early.
>
> While KASAN_HW_TAGS is able to detect such bugs, by checking
> accessibility and returning early we fail more gracefully and also
> avoid corrupting reused objects (where tags mismatch).
>
> A recent case of a double-kmem_cache_destroy() was detected by KFENCE:
> https://lkml.kernel.org/r/[email protected]
> , which was not detectable by software KASAN modes.
>
> Signed-off-by: Marco Elver <[email protected]>
> ---
> mm/slab_common.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/slab_common.c b/mm/slab_common.c
> index e5d080a93009..4bef4b6a2c76 100644
> --- a/mm/slab_common.c
> +++ b/mm/slab_common.c
> @@ -491,7 +491,7 @@ void kmem_cache_destroy(struct kmem_cache *s)
> {
> int err;
>
> - if (unlikely(!s))
> + if (unlikely(!s || !kasan_check_byte(s)))
> return;
>
> cpus_read_lock();
> --
> 2.34.0.rc2.393.gf8c9666880-goog
>
Reviewed-by: Andrey Konovalov <[email protected]>
Thanks!
On Fri, Nov 19, 2021 at 3:22 PM Marco Elver <[email protected]> wrote:
>
> Add a test case for double-kmem_cache_destroy() detection.
>
> Signed-off-by: Marco Elver <[email protected]>
> ---
> lib/test_kasan.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/lib/test_kasan.c b/lib/test_kasan.c
> index 40f7274297c1..4da4b214ed06 100644
> --- a/lib/test_kasan.c
> +++ b/lib/test_kasan.c
> @@ -866,6 +866,16 @@ static void kmem_cache_invalid_free(struct kunit *test)
> kmem_cache_destroy(cache);
> }
>
> +static void kmem_cache_double_destroy(struct kunit *test)
> +{
> + struct kmem_cache *cache;
> +
> + cache = kmem_cache_create("test_cache", 200, 0, 0, NULL);
> + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
> + kmem_cache_destroy(cache);
> + KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_destroy(cache));
> +}
> +
> static void kasan_memchr(struct kunit *test)
> {
> char *ptr;
> @@ -1183,6 +1193,7 @@ static struct kunit_case kasan_kunit_test_cases[] = {
> KUNIT_CASE(ksize_uaf),
> KUNIT_CASE(kmem_cache_double_free),
> KUNIT_CASE(kmem_cache_invalid_free),
> + KUNIT_CASE(kmem_cache_double_destroy),
> KUNIT_CASE(kasan_memchr),
> KUNIT_CASE(kasan_memcmp),
> KUNIT_CASE(kasan_strings),
> --
> 2.34.0.rc2.393.gf8c9666880-goog
>
Reviewed-by: Andrey Konovalov <[email protected]>
Thanks!